I am reading the source code of Monero. In the Bulletproof prover, there is always a line like T1 = rct::scalarmultKey(T1, INV_EIGHT). Why is there always a INV_EIGHT multiplication with the point? Can anyone help me? Thank you.
Asked
Active
Viewed 98 times
2 Answers
2
For security reasons, input points should be multiples of 8. While there is no known exploit if they're not in this case, having them be multiples of 8 means we can rule those out in the first place. The obvious way to ensure this is to check whether input points are multiples of 8 in the verification code. However, this is slow. Multiplying a point by 8 turns out to be much faster, so the prover will multiply its final points by 1/8, then the verifier will multiply by 8, thereby restoring the original points. This allows the verifier to ensure its input points are all multiples of 8 while still being fast.
user36303
- 34,928
- 2
- 58
- 123
1
T1 is a curve point. It is multiplied by 8 to ensure it is on the main subgroup of the Ed25519 curve.
jtgrassie
- 19,601
- 4
- 17
- 54